This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org. STIX Common1.0.104/08/2013 9:00:00 AMStructured Threat Information eXpression (STIX) - Common - Schematic implementation for the common types of a structured cyber threat expression language architecture.Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. See the STIX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the STIX Schema, this license header must be included. The InformationSourceType details the source of a given data entry.
The Identity field is optional and specifies the identity of the information source.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.0/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Contributors field is optional and enables description of the individual contributors involved in this instance.The Time element is optional and enables description of various time-related attributes for this instance.The Tools element is optional and enables description of the tools utilized for this instance.The References field is optional and enables specification of references to information source material for this instance.The ConfidenceType specifies a level of Confidence held in some assertion.
Specifies the level of confidence held in this direct assertion.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Description field provides a description of the confidence value and how it was derived.
The Source field specifies the source of this confidence assertion. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.0. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
The Confidence_Assertion_Chain field specifies a set of related confidence levels in this assertion along with who made them, when they were made and how they were made.Specifies the time of this Confidence assertion.The Date_Time field specifies the date and time at which the activity occured.The Description field provides a description of the activity.This field specifies a single kill chain definition for reference within specific TTP entries, Indicators and elsewhere.The KillChainType characterizes a specific Kill Chain definition for reference within specific TTP entries, Indicators and elsewhere.This field specifies the name of an individual phase within this kill chain definition.A globally unique identifier for this kill chain definition.A descriptive name for this kill chain definition.The organization or individual responsible for this kill chain definition.A resource reference for this kill chain definition.The number of phases in this kill chain definition.The KillChainPhaseType characterizes an individual phase within a kill chain definition.This field specifies the ID for the relevant kill chain phase.This field specifies the descriptive name of the relevant kill chain phase.This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.The Kill_Chain_Phase field specifies a single Kill Chain phase associated with this item.This field specifies the ID for the relevant defined kill chain.This field specifies the descriptive name of the relevant kill chain.
The IdentityType is used to express identity information for both individuals and organizations.
This type is extended through the xsi:type mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.0/ciq_identity_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field of this type.
The Name field allows for expression of an identity through a simple name.The Related_Identities field identifies other entity Identities related to this entity Identity.Specifies a unique ID for this Identity.Specifies a reference to a unique ID defined elsewhere.Allows the expression of a list of relationships between STIX components. It's extended throughout STIX and should not be used directly. Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually. ScopeEnum is an enumeration of potential assertions on how a group of relationships should be treated.A single relationship is being defined between the subject and the collection of objects indicated by the related items.Multiple relationships are being defined between the specific subject and each object individually.Allows the expression of relationships between STIX components. It is extended by each component relationship type to add the component itself.The confidence field specifies the level of confidence in the assertion of the relationship between the two components.The Information_Source field specifies the source of the information about the relationship between the two components.
The relationship field characterizes the type of the relationship between the two components.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.0. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
Identifies or characterizes a relationship to a campaign.
A reference to or representation of the related campaign.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.0/campaign.xsd.
Identifies or characterizes a relationship to a course of action.
A reference or representation of the related course of action.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.0/course_of_action.xsd.
Identifies or characterizes a relationship to an exploit target.
A reference to or representation of the related exploit target.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.0/exploit_target.xsd.
Identifies or characterizes a relationship to an incident.
A reference to or representation of the related incident.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.0/incident.xsd.
Identifies or characterizes a relationship to an indicator.
A reference to or representation of the related indicator.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.0/indicator.xsd.
Identifies or characterizes a relationship to a cyber observable.A reference to or representation of the related cyber observable.Identifies or characterizes a relationship to a threat actor.
A reference or representation of the related threat actor.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.0/threat_actor.xsd.
Identifies or characterizes a relationship to an TTP.
A reference to or representation of the related TTP.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.0/ttp.xsd.
Identifies or characterizes a relationship to an Identity.
A reference to or representation of the related Identity.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.0/ciq_identity_3.0.xsd.
This type represents the STIX Indicator component. It is extended using the XML Schema Extension feature by the STIX Indicator type itself. Users of this type who wish to express a full indicator using STIX must do so using the xsi:type extension feature. The STIX-defined Indicator type is IndicatorType in the http://stix.mitre.org/Indicator-1 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/1.2/indicator.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an indicator defined elsewhere can do so without specifying an xsi:type.
Specifies a unique ID for this Indicator.Specifies a reference to the ID of an Indicator specified elsewhere.
This type represents the STIX Incident component. It is extended using the XML Schema Extension feature by the STIX Incident type itself. Users of this type who wish to express a full incident using STIX must do so using the xsi:type extension feature. The STIX-defined Incident type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.0/incident.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an incident defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this cyber threat Incident.Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.
This type represents the STIX TTP component. It is extended using the XML Schema Extension feature by the STIX TTP type itself. Users of this type who wish to express a full TTP using STIX must do so using the xsi:type extension feature. The STIX-defined TTP type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.0/ttp.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a TTP defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this TTP item. Specifies a globally unique identifier of a TTP item specified elsewhere.
This type represents the STIX Exploit Target component. It is extended using the XML Schema Extension feature by the STIX Exploit Target type itself. Users of this type who wish to express a full exploit target using STIX must do so using the xsi:type extension feature. The STIX-defined Exploit Target type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.0/exploit_target.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an exploit target defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this ExploitTarget. Specifies a globally unique identifier of an ExploitTarget specified elsewhere.
This type represents the STIX Course of Action component. It is extended using the XML Schema Extension feature by the STIX Course of Action type itself. Users of this type who wish to express a full course of action using STIX must do so using the xsi:type extension feature. The STIX-defined Course of Action type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.0/course_of_action.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a course of action defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this COA. Specifies a globally unique identifier of a COA specified elsewhere.
This type represents the STIX Campaign component. It is extended using the XML Schema Extension feature by the STIX Campaign type itself. Users of this type who wish to express a full campaign using STIX must do so using the xsi:type extension feature. The STIX-defined Campaign type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.0/campaign.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a campaign defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this cyber threat Campaign.Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.
This type represents the STIX Threat Actor component. It is extended using the XML Schema Extension feature by the STIX Threat Actor type itself. Users of this type who wish to express a full threat actor using STIX must do so using the xsi:type extension feature. The STIX-defined Threat Actor type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.0/threat_actor.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a threat actor defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this ThreatActor. Specifies a globally unique identifier of a ThreatActor specified elsewhere.
The Exploit_Target field characterizes a potential vulnerability, weakness or configuration target for exploitation.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.0/exploit_target.xsd.
The AddressAbstractType is used to express geographic address information.
This type is intended to be extended through the xsi:type mechanism. The default type is CIQAddress3.0InstanceType in the http://stix.mitre.org/extensions/Address#CIQAddress3.0-1 namespace. This type is defined in the extensions/identity/ciq_address_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/address/ciq_address_3.0/1.0/ciq_address_3.0.xsd.
This field contains information describing the identity, resources and timing of involvement for a single contributor.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.0/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Reference field is optional and enables specification of a reference to an information source material.The Related_Identity field identifies a single other entity Identity related to this entity Identity.The Confidence_Assertion field specifies a related confidence level in this assertion along with who made it, when it was made and how it was made.
StatementType allows the expression of a statement with an associated value, description, source, confidence, and timestamp.
Specifies a value characterizing the statement within some vocabulary.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary may be provided by the field using this construct. If that's the case, the schema annotations on that element will describe which vocabulary to use. If not, the default vocabulary is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Specifies a prose description of the statement.
The Source field captures the source of this statement. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.0. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
The Confidence field characterizes the level of confidence held in the statement.Specifies the time this statement was asserted.The StructuredTextType is a type representing a generalized structure for capturing structured or unstructured textual information such as descriptions of things. It mirrors a similar type in CybOX 2.0Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
This type is used to represent data in an XML CDATA block. Data in a CDATA block may either be represented as-is or, in cases where it may contain characters that are not valid in CDATA, it may be encoded in Base64 per RFC4648. Data encoded in Base64 must be denoted as such using the encoded attribute.
If true, specifies that the content encoded in the element is encoded using Base64 per RFC4648.The ControlledVocabularyStringType is used as the basis for defining controlled vocabularies.The vocab_name field specifies the name of the controlled vocabulary.The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.